#!/bin/bash
# 2017.11.27
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
exec &> /dev/null 
mail(){
        SMTP="smtp.ezcdn.cn 25"
        SMTP_DOMAIN="sub.wsztest.com"
        FROM="smonitor@sub.wsztest.com"
        RCPTTO="yunwei.list@cndns.com"
        USERNAME="c21vbml0b3JAc3ViLndzenRlc3QuY29t"
        PASSWORD="UzB1RjlxWDJZVQ=="
        LOCAL_IP=`ifconfig|grep Bcast|awk -F: '{print $2}'|awk -F " " '{print $1}'|head -1`
        LOCAL_NAME=`uname -n`
        (sleep 10;for i in "ehlo $SMTP_DOMAIN" "AUTH LOGIN" "$USERNAME" "$PASSWORD" "MAIL FROM:<$FROM>" "RCPT TO:<$RCPTTO>" "DATA";do
                echo $i
                sleep 4
        done
        echo "Subject:$1 $LOCAL_IP"
        echo "From:<$FROM>"
        echo "To:<$RCPTTO>"
        echo ""
        echo -e "$LOCAL_NAME\n$LOCAL_IP\n$2"
        echo "."
        sleep 2
        echo "quit" )|telnet $SMTP
}

while :
do

if [ ! -f /root/pass.file ];then
    echo "`sed -n '1p' /etc/shadow|awk -F\: '{print $2}'`" > /root/pass.file
    chattr +i /root/pass.file
fi

PASS=`sed -n '1p' /etc/shadow|awk -F\: '{print $2}'`

#check passwd for root
if [ 'root' != `sed -n '1p' /etc/passwd|awk -F\: '{print $1}'` ];then
    mail "Dangerous! Username changed for root" "Dangerous! Root Username changed!\n\n`head -1 /etc/passwd`"
fi

if [ "$PASS" != `cat /root/pass.file` ];then
    mail "Dangerous! password changed for root" "Dangerous! Password changed for root,please check the server now!"
fi

#pkill tty
NUM=`w|wc -l`
if [ `ps axu|grep 'scp'|wc -l` == 1 ];then
    for line in `seq 3 $NUM`
    do
	IDIE=`w|sed -n "$line p"|awk '{print $5}'|awk -F\: '{print $1}'`
	if [ `w|sed -n "$line p"|grep -E -o "([0-9]+day|\:[0-9]*m)"` ];then
	    TTY=`w|sed -n "$line p"|awk '{print $2}'`
	    pkill -kill -t $TTY
	elif [ `expr 1 + "$IDIE"` ] && [ "$IDIE" -gt 20 ];then
            TTY=`w|sed -n "$line p"|awk '{print $2}'`
            pkill -kill -t $TTY
        fi
    done
fi

#check ssh|iptables server
grep '#PermitRootLogin' /etc/ssh/sshd_config||grep 'PermitRootLogin' /etc/ssh/sshd_config|grep 'yes'
if [ $? -eq 0 ];then
    if [ "$NUM" == 2 ]&&[ `ps axu|grep 'scp'|wc -l` == 1 ];then
        sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
        service ssh restart || service sshd restart
        mail "ssh services restarted" "Root users open login, has been banned!\n\n`w`" 
    fi
fi

if [[ ! `iptables -L -n|grep '114.80.215.216'` ]];then
    if [ "$NUM" == 2 ]&&[ `ps axu|grep 'scp'|wc -l` == 1 ];then
	/etc/init.d/iptables restart
	mail "iptables services restarted" "Iptables is closed and has been turned on!\n\n`w`"
    fi
fi

#check login user and ip address
ALLOW_IP="114.80.208.162|114.80.208.131|114.80.215.216|210.16.188.25|222.73.129.9"

CHECK_USER_COMD=`w|sed -n '3,$p'|awk '{print $1}'|grep -v -E -w "(root|cndns.us)"`
if [ ! -z "$CHECK_USER_COMD" ];then
    mail "Dangerous! Illegal login" "Dangerous! Illegal login!\n\n`w`"
fi

CHECK_IP_COMD=`w|sed -n '3,$p'|grep -v 'tty'|awk '{print $3}'|grep -v -E -w "($ALLOW_IP)"`
if [ ! -z "$CHECK_IP_COMD" ];then
    mail "Dangerous! Illegal login" "Dangerous! Illegal login!\n\n`w`"
fi

sleep 120
done
